Well... this was something we could not agree on while drafting the spec. Technically speaking, since the appendix is non-normative, you should not use it for any compliance decision. And yes, the spec does include an implied requirement to support all three methods by the server and at least one by the client.
But given how much OAuth does not interop well across services, it doesn't really matter much at this point. EHL > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Jason Davies > Sent: Wednesday, July 29, 2009 4:09 PM > To: OAuth > Subject: [oauth] Is supporting HTTP POST body parameters mandatory? > > > From the IETF draft 01, section 6.1.1: > > The request parameters, which include both protocol parameters and > request-specific parameters, are extracted and restored to their > original unencoded form, from the following sources: > > It then lists the Authorization header, request body and URI query > component. > > Now, this indicates to me that all three sources must be supported to > conform to the spec. > > However, from the example in OAuth Discovery 1.0 Draft 2, Appendix A: > > The Service Provider does not support parameters in the HTTP body. > > My understanding is that things like this are probably up to the > Service Provider to decide whether they provide them or not, as > consumers will be written with a particular Service Provider in mind > anyway. Some clarification for peace of mind would be useful though. > > For the moment I am not supporting request parameters sent via the > POST body in CouchDB, and it's probably not worth adding it unless > there is a good reason as consuming the request body before passing > the request on to other handlers means I have to pass the request body > to them too i.e. possible performance hit and deeper changes needed to > the code. > > Thanks again, > > Jason > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
